Thousands of GitHub repositories exposed via Microsoft Copilot

Copilot has access to private GitHub repositories, researchers found
The repositories were public at some point, and Bing cached them
The caching behavior is “acceptable” says Microsoft

Thousands of private GitHub repositories, some of which possibly contained credentials and other secrets, are being exposed through Microsoft Copilot, the company’s Generative Artificial Intelligence (GenAI) virtual assistant, experts have warned.

Cybersecurity researchers from Lasso reported their findings to Microsoft but got a mixed response.

Lasso is a cybersecurity company focusing on threats emerging from the use of new AI tools, and reported Copilot was able to retrieve one of its own GitHub repositories which should have been private and inaccessible on the wider internet. Indeed, navigating directly to GitHub returns a “page not found” error. However, at one point the team mistakenly left the repository public for a short period of time – long enough for Microsoft’s Bing search engine to index it. That allowed Copilot access to the data, even though it shouldn’t have.

Severe implications

Lasso further investigated, compiling a list of tens of thousands of repositories that were public at one point, and set to private today, finding more than 20,000 which can still be accessed through Copilot, belonging to tens of thousands of organizations, including some of the technology sector’s biggest players.

The implications of the findings could be quite severe. Speaking to TechCrunch, Lasso’s co-founder Ophir Dror said it used the flaw to retrieve a GitHub that hosted a tool allowing them to create “offensive and harmful” AI images using MIcrosoft’s cloud AI service. Different company secrets could also be exposed this way, prompting Dror to advise victims to rotate or revoke their keys.

Microsoft allegedly told the company that the issue is “low severity” and that the caching behavior was “acceptable.” However, as of December 2024, Microsoft no longer includes links to Bing’s cache in its search results. Copilot can still access the data.

https://cdn.mos.cms.futurecdn.net/aNSyW6WY7t2j9fMrzaPPVb-1200-80.jpeg

Source link

Amazon’s biggest rival offers a near-identical alternative in three-quarters of cases but huge issues remains

How to download TikTok videos without a watermark

NYT Connections hints and answers for Friday, February 28 (game #628)

Quordle hints and answers for Friday, February 28 (game #1131)

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Which Celebrity Styles Americans Copy Most in 2025: New Study

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

Apple sued over 'carbon neutral' claim for watches

Trump’s FTC chair seeks to ‘combat inflation by making sure wages stay up’

Mexico to extradite drug lord Rafael Caro Quintero to the United States

Spot Bitcoin ETFs experience record outflow, bleeding over $1 billion in one day

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Thousands of GitHub repositories exposed via Microsoft Copilot

Apple sued over 'carbon neutral' claim for watches

Amazon’s biggest rival offers a near-identical alternative in three-quarters of cases but huge issues remains

Trump’s FTC chair seeks to ‘combat inflation by making sure wages stay up’

Mexico to extradite drug lord Rafael Caro Quintero to the United States

Leave a reply Cancel reply